Our Blog

Apr 2014

‘Heartbleed’ vulnerability patched, no evidence of compromises



Researchers recently identified a security vulnerability now known as ‘Heartbleed’ that affected the OpenSSL protocol. Kopo Kopo has already patched this vulnerability and found no evidence that accounts, encryption keys, or passwords were comprised.

What is the ‘Heartbleed’ bug?

On 7th April 2014, a security vulnerability (CVE-2014-0160) affecting the OpenSSL protocol was announced. This vulnerability is now commonly referred to as ‘Heartbleed‘. OpenSSL is a popular cryptographic software library that is used to encrypt/decrypt Internet communication.  The vulnerability gets it name from the fact that implementations of OpenSSL version 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets which can allow a remote attacker to obtain sensitive information from process memory. To learn more about the ‘Heartbleed’ bug, check out this blog post courtesy of Krebs on Security.

How we patched the vulnerability 

As service providers around the world race to protect themselves against this vulnerability, we consider it important to update our customers on the steps we have taken to ensure that our application and your data remain secure.

Upon the announcement of the vulnerability, we quickly determined that the version of OpenSSL we were using was among the affected versions. An audit of our application yielded no evidence that we had been compromised or ‘attacked’ in any way. We quickly updated our servers with the FixedOpenSSL release that patches the vulnerable OpenSSL versions. As an extra precaution, we also rotated our SSL certificate(s).

 Extra steps you can take to protect yourself 

Users are encouraged to change their password (this should be a regular practice). You can do this by logging in to your Kopo Kopo account and clicking on your name at the top right hand corner, then changing your password.

 If you have integrated with our APIs (HTTP POST or XML over HTTP), we recommend that you ensure that your API end-points are secure. Make sure that the end-point you provide to Kopo Kopo is secured using SSL. The server that you set to receive POSTS from Kopo Kopo should also be checked for vulnerability. To check if your servers are vulnerable, test your domain (e.g. www.company.com) with either Filippo Valsorda’s Test (link here) or 1st Limited Test (link here).

 Here are the statuses of various versions of OpenSSL:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

If your host is reported as vulnerable, you should move quickly to have the security hole fixed.

If you have any questions regarding this issue or any other issue about your account, please call us at 0702 000 222, or email support@kopokopo.com.

- Dennis Ondeng, CTO (@donden1)

Mar 2014

SMS error resolved, and our apologies

March 20th SMS Error

This afternoon we experienced an error that caused multiple SMS messages to be sent to several thousand of our customers. First, if you were affected by this error, we deeply regret and apologize for whatever inconveniences may have been caused. Here’s what happened, why it happened and what we’re doing to make sure it doesn’t happen again.

What happened

We recently changed our customer support line to the below. To notify customers of this change, we sent an email and SMS message to “all users” and posted updates on our social media accounts.

Our new support line

At approximately 14:30, we realized that a number of customers were receiving our SMS message multiple times, so we implemented a “code red” to isolate and stop further communication. Queued messages continued to be sent between approximately 14:30 and 15:30, totaling in the thousands.

In the end, the cause of the error is both simple and embarrassing: slow Internet and poor internal controls.

We’ve been having issues with our ISP for the last few weeks, so Internet in the office has been very slow. When we scheduled the SMS blast from our Admin portal, the page hanged for 10+ minutes, so we tried to send it again.

After investigation, it appears we clicked the “Send” button 10-15 times. As a result, some of our customers’ phones looked like this (thanks for sharing, @TheRealWainaina):

Photo courtesy of @TheRealWainain on Twitter

This is an embarrassing and completely preventable mistake, and it’s entirely on our shoulders.

Why it happened

We’ve spent so much time focusing on customer UI / UX that we’ve neglected our own. Every day, 20+ Kopo Kopo employees are logged in to our Admin portal to manage everything from customer support to proactive engagement to data analytics. In this particular case, we were using our “Notifications” portal to send the SMS blast.

As of this morning, all we had to do was enter the content of a message and click “Send” to send an SMS to any number of customers. Once “Send” was clicked, we would post the message details to our Premium Rate Service Provider (PRSP) via an API integration, and the messages would be sent instantaneously.

As of this afternoon, that was no longer the case.

What we’re doing to prevent it from happening again

We’ve already pushed a change that disables the “Send” button after it’s been clicked once, so we can’t accidentally click it multiple times. But that’s not enough. Beyond that, we’ll be adding the following controls in the coming days:

  • Confirmation - A Kopo Kopo Admin will have to manually confirm the details of a communication before it is sent.
  • Two-factor authentication – A Kopo Kopo Admin will have to re-enter their password every time they schedule an SMS blast.
  • Queuing - We won’t enable real-time communication from Kopo Kopo Admin users anymore. Instead, all of our communications will now be scheduled with a built-in delay so we have time to re-confirm details, re-schedule to a different time, or cancel a communication.

We take our work seriously and have tremendous respect for our customers’ time. That said, we’re thoroughly embarrassed this happened at all.

But we’re equally resolved to make sure it never happens again.  

Thanks for your continued support, feedback and patience throughout the day. We’re sincerely grateful to work with you.

- Team Kopo Kopo (@KopoKopoInc)

Feb 2014

A new identity to embody simplicity, direction and focus

New Kopo Kopo Logo

Our first logo was designed more than three years ago – back when we were an idea in a basement. Originally designed by Rafael Smith without a company or identity in mind, it came to represent a unifying force in a disparate ecosystem.

Today it’s time to create our own meaning – one that embodies simplicity, direction and focus.

That’s why we’re thrilled to unveil our new logo. It’s designed to stand out on a small screen, work well in 2D and accommodate both full-colour and mono-colour environments.

But that’s not what excites us about our new identity. We’re excited because we’ve always believed in minimalism – the idea that there is beauty and elegance in simplicity. We work tirelessly to strip away the complex and frustrating in order to create a seamless experience for our customers, and we wanted our logo to express that.

When we think about our mission – to help small and medium businesses grow and prosper – we’re also reminded of the legacy systems and mindsets that benefit from the status quo. We continually embrace new challenges with an eye on the horizon. Our new logo represents that forward momentum and endurance, the key components of progress.

Last, our new logo emphasizes focus. Its crisp lines and solid colours represent the clarity of vision that inspires our every action.

Lovingly crafted in Nairobi and refined over three years, our service is now ready to fulfill a global need. As we take on new challenges in new markets, our new identity will remind us of who we are, where we came from and what we hope to achieve.

- Team Kopo Kopo (@KopoKopoInc)

Business card Macbook and Android Samsung Galaxy Stationery

All trademarks are properties of their respective owners.


Feb 2014

Press Release: 3G Direct Pay forges strategic partnership with Kopo Kopo

Eran and Francis demo a payment

Nairobi, Kenya 6 February 2014 ….. 3G Direct Pay Limited, a leading online payments service provider, today announced a strategic business partnership with Kopo Kopo, a merchant services platform for mobile network operators in emerging markets.

Eran Feinstein, Managing Director, 3G Direct Pay Limited signed the partnership agreement which he said would bring innovative payment options for the regional travel industry.

“Our partnership, the first of any in the world, will introduce mobile money to the online arena,” commented Feinstein.  “Together, 3G Direct Pay Limited and Kopo Kopo will provide the travel providers with the option to accept online all modes of payment from credit cards, PayPal, and Mobile Money.

“By using the Kopo Kopo merchant services platform, 3G Direct Pay Limited will provide all leading mobile money options in the region as part of its online platform used by the travel providers. This includes Kenya’s M-PESA as well as Tanzania’s M-Pesa and Tigo Pesa, with additional services to soon follow.”

While the 3G Direct Pay’s platform provides a secure online payments solution to any provider and can be used as part of any e-commerce checkout, Kopo Kopo’s end-to-end platform allows operators and other payment providers to acquire and manage merchants who wish to accept mobile money payments.

“Mobile money has emerged as one of the fastest growing consumer products,” said Francis Mugane, Head of Sales & Distribution, Kopo Kopo.  “The Kopo Kopo platform creates a vital link in the mobile money ecosystem by allowing consumers to pay at the merchants of their choice, unlocking billions in potential demand. We make it easy, inexpensive and convenient for a business to accept mobile money payments.”

Mr. Feinstein explained the system process step-by-step:

  • end customer visit the payment page (powered by 3G Direct Pay Limited)
  • end customer selects mobile money option (based on the they country)
  • end customer pays online using they mobile money account
  • 3G Direct Pay providers real-time confirmation to the end customer

3G Direct Pay Limited leads the African online travel market since 2006, where hundreds of travel businesses and millions of end customers can shop, pay, sell and get paid. The online payments platform is connected to all leading credit card types and electronic wallets, including Visa, MasterCard, American Express and PayPal. 3G Direct Pay Limited fills the online gap between the providers and the consumers.

3G Direct Pay Limited is renowned in the travel and tourism industry, where we offer our clients through our online platforms.  Our partnership with Kopo Kopo will enable our East African clients to extend their payment options using mobile money anywhere in Kenya, Uganda, Tanzania and Zanzibar,” concluded Feinstein.

For more information, please contact Catherine Gathii (sales@3gdirectpay.com) or Francis Mugane (francis@kopokopo.com).

Feb 2014

Chickens, Eggs, and Network Effects: How Payments Markets Succeed

This is Part II of our series on mobile payments in emerging markets. Part I provided an infographic highlighting the rapidly evolving payments ecosystem in East Africa.

Every payment has at least two sides, often a consumer and a business (or merchant). Payment companies and platforms, like Kopo Kopo, make it easier for those two sides to connect. Economists who have studied payments and other “multi-sided markets,” have found that successful payment platforms take advantage of “network effects.” This means that success breeds success: The more a platform is able to connect the two sides of a payment, the more that payment system will grow, and the more successful that payment system will be.

The chicken-and-egg question for payment providers is: Where do you start?
Do you start building out the consumer side? Or the merchant side? Can you do both? There is no easy answer.

Most mobile money operators in emerging markets have started with the consumer side. The world’s most successful deployments have launched with consumer- friendly value propositions (“Send Money Home”), massive investments in cash-in/cash-out agent networks and mass- market product offerings (SMS or USSD). Once consumer demand is in place, operators have begun to focus on the merchant acceptance side.

Kopo Kopo’s experience in Kenya provides a perfect example. When we first launched in early 2012, Safaricom had already successfully reached nearly 8 out of 10 consumers with their M-PESA service. Yet, less than 1% of businesses had opened a business account. It was a natural next step to create more places for consumers to make payments and Lipa Na M-PESA was born.

two sided merchant payments

Kenya’s consumer-led approach is now taking off. Tens of thousands of merchants have signed up for Lipa Na M-PESA, and more are signing up every day.

There may, however, be another way. Ultimately, each payment provider in its market will have to strike a balance weighing considerations such as:

  1. Existing market and mind share penetration on each side of the market (consumers and merchants)
  2. Perceived value in the payment platform by each group
  3. Price sensitivity
  4. Ease and proven effectiveness of subsidies
  5. Regulatory limitations

Each of these core considerations will need be balanced with the provider’s definition of success to build out a go-to-market plan that gets past the chicken-and-the-egg and arrives at the holy grail: The network effect of a two-sided market.
Part III of this series will look at the rising consumer class in emerging markets.

- Dylan Higgins, CEO (@DylanHiggins)

PS: We just launched an all-new website for our global audience. We welcome your feedback on www.kopokopo.com.